This invention relates to network access systems. More particularly, the invention relates to the control of access to a network by a user through an authentication server that generates an authentication ticket indicating whether the user has been authenticated.
The recent growth in popularity of the Internet has significantly increased the number of Internet users and the number of Internet sites (also referred to as xe2x80x9cweb sitesxe2x80x9d). Web sites may provide various types of information to users, offer products or services for sale, and provide games and other forms of entertainment. Many web sites require users to xe2x80x9cregisterxe2x80x9d by providing information about themselves before the web server grants access to the site. This registration information may include the user""s name, account number, address, telephone number, email address, computer platform, age, gender, or hobbies. The registration information collected by the web site may be necessary to complete transactions (such as commercial or financial transactions). Additionally, information can be collected which allows the web site operator to learn about the visitors to the site to better target its future marketing activities or adjust the information provided on the web site. The collected information may also be used to allow the web site to contact the user directly (e.g., via email) in the future to announce, for example, special promotions, new products, or new features of the web site.
When registering with a web site for the first time, the web site typically requests that the user select a login ID and an associated password. The login ID allows the web site to identify the user and retrieve the user""s information during subsequent user visits to the web site. Generally, the login ID must be unique to the web site such that no two users have the same login ID. The password associated with the login ID allows the web site to authenticate the user during subsequent visits to the web site. The password also prevents others (who do not know the password) from accessing the web site using the user""s login ID. This password protection is particularly important if the web site stores private or confidential information about the user, such as financial information or medial records.
If a user visits several different web sites, each web site may require entry of similar registration information about the user, such as the user""s name, mailing address, and email address. This repeated entry of identical data is tedious when visiting multiple web sites in a short period of time. Many web sites require the user to register before accessing any information provided on the web site. Thus, the user must enter the requested registration information before they can determine whether the site contains any information of interest.
After registering with multiple web sites, the user must remember the specific login ID and password used with each web site or other Internet service. Without the correct login ID and password, the user must re-enter the registration information. A particular user is likely to have different login IDs and associated passwords on different web sites. For example, a user named Bob Smith may select xe2x80x9csmithxe2x80x9d as his login ID for a particular site. If the site already has a user with a login ID of xe2x80x9csmithxe2x80x9d or requires a login ID of at least six characters, then the user must select a different login ID. After registering at numerous web sites, Bob Smith may have a collection of different login IDs, such as: smith, smith1, bsmith, smithb, bobsmith, bob_smith, and smithbob. Further, different passwords may be associated with different login IDs due to differing password requirements of the different web sites (e.g., password length requirements or a requirement that each password include at least one numeric character). Thus, Bob Smith must maintain a list of web sites, login IDs, and associated passwords for all sites that he visits regularly.
The invention provides a mechanism for controlling access to a network server (such as a web server) through the use of an authentication ticket. A web user can maintain a single login ID (and associated password) that provides access to multiple web servers or services. Once the user has logged into an authentication server, it is not necessary to re-enter the login ID or user information when accessing other affiliated web servers. The single login ID has an associated user profile that contains the registration information typically requested by web servers during a user registration process. The authentication server authenticates each login ID using the associated password and generates an authentication ticket indicating whether the user is authenticated (i.e., whether the user should be granted access to the web server). The individual web servers are not required to authenticate the individual users. Further, to protect the user""s password, the individual web servers do not receive the user""s password. Instead, the individual web servers receive an authentication ticket indicating whether the user was authenticated by the authentication server and how long since the user was last authenticated. The authentication ticket includes two time stamps: one indicating the last time the user""s login ID and password were physically typed by the user and a second time stamp indicating the last time the user""s login information was refreshed by the authentication server. This xe2x80x9crefreshxe2x80x9d of the user""s login information may be performed silently or by having the user type the login information.
An implementation of the invention receives a request from a network server to authenticate a user who is seeking access to the network server. The process determines whether the user was already authenticated by the authentication server. If the user was already authenticated, then the network server is notified that the user is authenticated through the use of an authentication ticket. If the user was not already authenticated by the authentication server, then login information is retrieved from the user and compared to authentication information maintained by the authentication server. The network server is notified (through the use of an authentication ticket) that the user is authenticated if the retrieved login information matches the authentication information.
Other aspects of the invention provide for an authentication ticket that does not contain any reference to the user""s login information.
In accordance with another aspect of the invention, the authentication ticket includes a first time stamp indicating the last time the user""s login information was refreshed, and a second time stamp indicating the last time the user physically entered their login information.
In one embodiment of the invention, the network server is a web server coupled to the Internet.